El Fon Blog

Today’s HAK5 video podcast features Darren Kitchen doing a demonstration of replacing stock Fon firmware on a FON2100 with Jasager Karma using the Freifunk Ap51 EasyFlash GUI utility.

If you prefer an online tutorial, with plenty of excellent pictures, you can find it here in Kitchen’s blog, or here in the Hack5 forum.

I haven’t followed these steps personally, and haven’t used some of the helper tools, but everything looks ok after brief inspection. Use at your own risk.

As usual, i’m VERY amused at all of the references to some kind of device called “a FON”, and still don’t understand how a young, four-legged ruminant is involved, but then noone ever listens to me.

Fans of FreeWLAN, will take an interest in FrancoFON. Both of these projects have designed firmware plugins, which improve Fon’s La Fonera v1.x wifi router firmware. They impliment features that Fon stripped out of open-source OpenWRT, or enhance existing features.

Here are the highlights of the current version 2.23.6:

This is very similar to the feature-set of FreeWLAN. Both projects support multiple languages, but if you are interested in joining development, speakers of German may prefer FreeWLAN, while speakers of French may prefer FrancoFON.

Though this edition dates from May 15, 2008, FrancoFON is back from holiday with the September Newsletter, and have plans to enhance the La Fonera Plus/2 router next!

Fon President Martin Varsavsky has posted an adorable leetle survey on his blog today. Either he has no idea why Fon is failing under his leadership, or else he knows, and won’t list those reasons because he has no intention of fixing them.

The reason most Foneros have quit Fon is due to anemic equipment and firmware imposed upon them, and the culture of dishonesty in Fon’s press releases and business practices.

After promising to give us firmware which supported dual-SSIDs, Fon switches the bait and presents us with their proprietary, locked-down 1-port router with this feature. No dual-SSID for us Linksys and Buffalo Foneros. It’s just as well, because it turns out that many wifi adapters can’t cope with the little transmission trick that produces two SSIDs.

People with pre-existing home networks discover that they can’t access their LAN resources, even when using the private WLAN. There is no “bridge to WAN” feature. This device *looks* like an AP, but is instead a NAT router. This is one of the main reasons people abandoned Fon. They didn’t want to *start* a network. They needed to *expand* one (and on a budget).

This little overheating brick had WDS meshing built-in at first, but this was undocumented. Hackers learned to use it to aquire an Internet connection without paying or logging in. Fon quickly took WDS out, and has still never admitted it existed. Pres. V pontificates in his blog that the range-extending Fontenna (he sells) is superior to connection-relaying meshing, despite the poor performance of said Fontenna. He should have instead sold us a kit to mount the router outside, with an embedded booster antenna and PoE adapter.

Nearly two years later, La Fonera still doesn’t support MAC cloning, which is such a trivial feature to add. It is necessary for modems/ISPs which lock your service to your WAN MAC. This is another big reason people abandoned Fon- they never got it connected to the Internet. This feature wouldn’t even threaten the sales of additional Fon hardware.

Instead of improving the La Fonera firmware (except to rush out patches to keep people from aquiring better access to their device and developing new features), Fon spends R&D on further routers: Want one precious LAN jack? Buy the new router, at twice the price of the old one! This is surely why they don’t give us WAN bridge in the original La Fonera for free.

What would Foneros really prefer that Fon focus their attention on? Bringing the feature set of the router at least up to the point of every other cheap router on the market, nurturing and empowering the creative community that has built up around Fon, and showing some real progress for a change. Instead, here is “La Fonera Orwellian Name”, for $100, which lets you download free bittorrents of Fearless Leader’s video clips. Ugh.

“Buy thees Skype phone and make calls for free at any Fon hotspot in the world!” they said. Well, sure- if you had the encryption key for all of those Fonero’s private networks. The darn thing wasn’t able to log in through Fon’s public hotspot, until many months later, when a firmware patch was provided. Calls were then free if they were Skype-to-Skype, or you were spending the included “free” 20 trial Skypeout minutes. Skype pulled the ads down. Ugh.

“We split the profits 50-50!”. An outright lie. First, Fon takes unspecified “fees and taxes” out, then splits what is left. Fon refuses to itemize this amount, which varies from country to country and depends on the ISP, so there is no way to tell if they are paying you fairly. Fon only pays Bills if their hotspot is the Point Of Sale for day passes, not for bandwidth, length of wifi sessions, or number of customers. If paid-up customers wander over to his hotspot, Bills get nothing for the service he provides.

Fon’s price per day is quite reasonable when compared to other for-pay mobile Internet services. However, wifi is free in virtually every coffee shop in the USA, many restaurants and libraries, and provided by many municipalities throughout the city centers. Fon won’t budge on the price, or add something to make their service more desireable than free wifi, like VPN encryption.

Fon’s system mimics other “instant hotspot in-a-box” offerings, but these competitors are offering more flexible terms in setting prices and managing equipment. The competitors let you have control of your Internet connection, your router, and the appearance of your hotspot to the public. Fon pretends that they do too, but in reality, you have almost no control over what they clearly consider to be *their* router, and *their* hotspot.

It’s been obvious in recent months that Fon is fading away. Varsavsky spends his time supporting side projects, which have nothing to do with wifi (Mexican Wave, Fon URL Sortener, and several ways to abuse Gmail), and writing bizzare articles in his Fon Blog. Varsavsky recently dumped much of his Fon stock.

Fortunately, there is a thriving community of hackers who still develop improvements for La Fonera wifi routers. If a Fonero is willing to void his router’s warranty, he can have his MAC cloning, WAN bridge and much more. While they can do nothing about Fon’s awful profit-sharing, the routers themselves can even be flashed with entirely different firmware, and be used with other wifi networks, or even liberated entirely, including features usually found only in very expensive equipment.

There are so many other points, I could write volumes. Please visit Varsavsky’s blog, and instead of taking his survey, leave him comments which surely will fall outside his carefully selected choices.

UPDATE: Y’all will find this very interesting. Martin approved another round of comments to that post in his blog. While he approved a comment I made under a fake name, he did not approve a more coherent comment I made, as myself, discussing the exact same points, somewhat earlier that day. This is not proper management of his blog, this is censorship of those whom he dislikes. What a skunk!

Here are instructions for restoring your FON firmware entirely through the serial connector. Most instructions which i’ve seen on the web assume that you have telnet over Ethernet access to Redboot, which is a chicken and egg problem!

EDIT: ChrisPHL points out that I can enable telnet over Ethernet before I even init or flash any firmware by using the RedBoot FCONFIG command: FreeWLAN.info. So why follow this tutorial? While serial console may be slower than uploading via Ethernet, you’ll save time because you won’t need to set up TFTP server, manually configure TCP/IP, rearrange cords, change cords back, reconfigure DHCP, etc.

This tutorial worked just fine for my La Fonera 1.0 (FON2100). If you have the La Fonera 1.1 (FON2200), 1.5 (FON2201), or 2.0 (FON2202), you may find that telnet over Ethernet is allready enabled! One reader has informed me that his newer FON2200 seems to have an *older* version of RedBoot (V1.00 - built 10:37:27, Dec 12 2006) installed on it than mine (V1.3.0), and that the memory range begins at a different address. If this tutorial doesn’t seem to do the trick, try k0k0’s German tutorial, which uses different addresses starting with the second ‘load’ command. FON2201 and FON2202 use different firmware and are based on yet another circuit board. They will certainly require different load addresses.

It is possible to transfer the files using XMODEM or YMODEM if you use a terminal emulator like HyperTerminal. ZMODEM would be even faster and more accurate, but I was unable to get that to work. When I used HyperTerminal, I am pretty sure I used hardware handshaking, but k0k0, administrator of FreeWLAN’s forums recommends setting this to NO handshaking. This may be necessary if you can receive text from the serial port, but cannot get it to respond to keystrokes.

The two firmware files, rootfs.squashfs and kernel.lzma were aquired from this archive, and are stored on my local hard drive. I did not set up a TFTP or web server, as that would require a network connection, and is again, a chicken and the egg problem.

To start with, I have built a working serial voltage adapter, as seen in my previous post, interrupted the bootup with CTL-C, and executed the following commands in Redboot:

1) RedBoot> baudrate 115200 (much faster connection, but I needed to close and restart HyperTerminal using the new speed)

2) RedBoot> fis init -f (this deletes all of the onboard firmware!)

typical response from RedBoot:
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0×80ff0000-0×81000000 at 0xa87e0000: .

The following commands and memory addresses are taken directly from the DD-WRT tutorial on “Reflashing LaFonera original firmware“, except that i’ve gotten the files I need by other means, and i’ve adjusted the commands for using YMODEM over the serial console instead of TFTP server at a fixed IP. You may use XMODEM if you choose instead, but it is a bit slower. If you must use XMODEM, and it will not start, try switching your terminal emulator from hardware handshaking to XON/XOFF - or vice-versa.

3) RedBoot> load -r -m ymodem rootfs.squashfs -b 0×80040450

typical response from RedBoot:
CCCCRaw file loaded 0×80040450-0×801c044f, assumed entry at 0×80040450
xyzModem - CRC mode, 2(SOH)/1536(STX)/0(CAN) packets, 6 retries

Whew! That was fun! I haven’t used YMODEM since the early 1980’s! As you see “xyzModem” implies that ZMODEM is supported, but the command “-m ZMODEM” is rejected by RedBoot. YMODEM and XMODEM may sit idle for a while before they start transferring. Be patient.

4) RedBoot> fis create -b 0×80040450 -f 0xA8030000 -l 0×00700000 -e 0×00000000 rootfs

typical response from RedBoot: (THIS CAN TAKE A LONG TIME!)
… Erase from 0xa8030000-0xa8730000: ……………………………………
…………………………………………………………….
… Program from 0×80040450-0×80740450 at 0xa8030000: ……………………..
……………………………………………………………………..
……
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0×80ff0000-0×81000000 at 0xa87e0000: .

5) RedBoot> load -r -m ymodem -b %{FREEMEMLO} kernel.lzma

typical response from RedBoot:
CCRaw file loaded 0×80040800-0×800c07ff, assumed entry at 0×80040800
xyzModem - CRC mode, 2(SOH)/512(STX)/0(CAN) packets, 4 retries

6) RedBoot> fis create -r 0×80041000 -e 0×80041000 vmlinux.bin.l7

typical response from RedBoot:
… Erase from 0xa8730000-0xa87b0000: ……..
… Program from 0×80040800-0×800c0800 at 0xa8730000: ……..
… Erase from 0xa87e0000-0xa87f0000: .
… Program from 0×80ff0000-0×81000000 at 0xa87e0000: .

7) RedBoot> fis load -l vmlinux.bin.l7

typical response from RedBoot (after a really long pause):
Image loaded from 0×80041000-0×801ba000

RedBoot> exec

typical response from RedBoot:
Now booting linux kernel:
Base address 0×80030000 Entry 0×80041000
Cmdline

At this point the serial connection froze. I powercycled La Fonera and observed Redboot come up, and then the serial connection froze again shortly after stating that it was booting the linux kernel… but Wireless Connection Manager showed that MyPlace had been created and I was able to access the onboard web admin. The router is now factory-fresh, circa firmware version 0.7.1 r1!

Next, i’ll leave the Ethernet disconnected, and configure the fonware over a wifi connection to load FreeWLAN. Once that is working, then i’ll install the CAMICIA modified bootloader over SSH *before* I begin experimenting with configuration changes again.

EDIT: The following page of RedBoot Command Line Options helped me a lot in making this tutorial: AdvancedRelay

Well, all great minds screw up once in a while. I was thrilling away with my La Fonera 1.0, freshly hot-rodded with FreeWLAN v0.9.2, when the Fon came to a screeching halt! I was trying to do something Really Cool, and set it up as a Transparent Ethernet bridge. In this mode, the La Fonera would work as a wifi client device. The WAN Ethernet port would be repurposed as a LAN port, which would be bridged to the upstream LAN and DHCP server. This way, I could turn my tiny USB-Ethernet print server into a wireless one.

Well, it turns out that FreeWLAN’s QRM implementation isn’t quite working perfectly. To make matters worse, I can’t just hold down the ‘ole reset button because that button is ignored until the firmware finishes booting and polls it! This La Fonera isn’t finding the WLAN I configured it to join, so it isn’t setting up it’s virtual interfaces. I’m told that it’s stuck in this incompletely booted state forever. All I can do is ping it under very particular circumstances. No SSH, and no web admin exist any more.

Proponents of FreeWLAN advise flashing the kernel ASAP with one which allows reflashing the firmware over the Ethernet cable. I have done this before, when I was using DD-WRT for the La Fonera, but had not yet done it with this particular router. This leaves only flashing by serial connector. This is often referred to as a “JTAG” connector, but technically the La Fonera just has a serial connector that is simply at a lower voltage (TTL) than the serial port (RS232) you may have on the back of your PC. This requires a voltage-level adjustor. The folks at FreeWLAN were very helpful in providing me a list of options, and I decided that I would build the serial adaptor myself.

CLICK ANY PICTURE BELOW FOR LARGER IMAGE

La Fonera 1.0 (FON2100)                 La Fonera 1.1 (FON2200)

The popular design utilizes a Maxim 232 or 3232 integrated circuit. Maxim will provide free samples of this part, with free shipping from their website. I ordered two, which arrived about a week later.

I went to Radio Shack, our local overpriced electronics parts store, for 5 polarized tantalum capacitors, a small breadboard, and a 9-pin female serial connector. The bill came to $12.91 with tax.

I used sections of an old floppy cable for wire and for the connector to the La Fonera, as the holes were exactly right.

As luck would have it, the first one I built didn’t work properly. On my first trip to Radio Shack, I had bought slightly cheaper nonpolarized electrolytic capacitors. The MAX3232 datasheet said that nonpolarized would work, but perhaps that is not so for this particular project. I’m happier with the way the much smaller tantalum capacitors look, anyway.

We have RedBoot!

Also, if I let it boot up uninterrupted, I can hit ENTER for a telnet session to the OpenWRT firmware which the fonware is based on:

Next up is flashing the CAMICIA edition of the linux kernel which permits access to Redboot over the Ethernet port. I may choose XMODEM to transfer files while connected to the serial port. Then i’ll switch to Ethernet to more quickly flash the 0.7.1 edition of fonware which works best with FreeWLAN. Switching to wifi, I’ll manually configure fonware to download FreeWLAN right away, before I ever connect the Ethernet to the Internet, preventing further fonware updates. Fonware updates get slipstreamed into future FreeWLAN editions, and thus the router really does stay up-to-date.

The first crack for La Fonera Plus comes to us courtesy of FrancoFon. FrancoFon was recently heralded by Fon President Martin Varsavsky for their La Fonera 1.x improvements. Like FreeWLAN, FrancoFon does not replace Fon’s firmware, but adds functionality through modular addons.

La_Fonera_Plus/Ouvrir_ssh_sans_cable…

http://www.fonboard.nl/wiki/La_Fonera_Plus_Access

http://www.fonboard.nl/wiki/HowTo_Foneraplus_unlocking/en

How to activate SSH on Fonera Plus

Configure your computer with 192.168.1.254 IP address

Install a little webserver on your computer (like Apache)

Download the file redboot.pl

Download the firmware file firmware_francofon.bin and put it into the home directory of your webserver

Install perl and its dependencies perl-Net-Telnet and also, install fping.

Connect the La Fonera directly to your computer.

Start the previously download script: perl redboot.pl 192.168.1.1

Start your fonera.

Once done, you should have access to telnet command.

Enter the following command:

ip_address -l 192.168.1.1/24 -h 192.168.1.254
and enter:

fis delete image
load -r -b 0×80100000 /firmware_francofon.bin -m HTTP -h 192.168.1.254
fis create -b 0×80100000 -l 0×00237040 -f 0xA8040000  -e 0×80040400  -r 0×80040400 image

Wait until the end of the flashing! That’s all, you should have now access to SSH

So it looks like the trick was in discovering which IP:port La Fonera Plus was listening to when it powers up, and designing the script to hammer at it. This is how telnet access is aquired, and from there, the firmware_francofon.bin addition can be downloaded from your client PC. SSH is then one of the benefeits of using the FrancoFon add-on.

I’m interested in seeing a comparison of the features between FreeWLAN and FrancoFon to show what each project offers, and which features work better.

It sounds like FrancoFon is sharing their method with FreeWLAN, so we should see that become available for La Fonera Plus soon too!

http://fonblog.eu/2007/10/28/fonera-plus-hack-finally-we-did-it/